Solved

Setting permissions on Network folders

Posted on 2013-05-30
3
224 Views
Last Modified: 2013-06-27
Hi
I have been having some issues setting up permissions on folders that I have created on a new file server.
Here is what I have done so far:
I have a Win2008R2 Ent. file server with all the roles installed.
A SAN drive is attached to the file server and on that SAN drive I have created a folder called Departments and shared it. This folder is going to be the root folder. Under that folder, I have created several sub folders.
Let’s just say the folders are:
Acct
Admin
Finance
HR
Eng
Eexcs
IT
Man
CS


My plan is to have each group have read/write access only to their departmental folder.
They should not be able to access folders belonging to the other departments. Accounting should only access acct folder, HR group should only access HR, Admin should only access the admin folder, etc.

Permission on the departments root folder is set up as shown below:
Domain admin has full control
FS admins has FULL control
Domain users have list control




And here is how permission is set up on one of the sub folders:
Let’s take the Finance group.
Finance Group has Read/Write
Domain Admins has Full cont.
Domain user has list

What I want to accomplish here is that I don’t want domain users group to list the contents of the folders.


Right now they can do that.
I removed the domain users group from the folder, but after doing that, the Finance group couldn’t access the folder at all. So I ended up putting it back. So please if anyone can give me a help, I would appreciate it.
Edit/Delete Message
0
Comment
Question by:bb8176
3 Comments
 
LVL 4

Expert Comment

by:Rsilva98
Comment Utility
Add the corresponded group to each share. Also remove the inherit option on the root folder.
0
 

Accepted Solution

by:
93SysAdmin9393 earned 500 total points
Comment Utility
I would recommend following the Microsoft best practices for security group nesting to assign permission to resources.  In the long run it gives you a very good idea of what users or groups will have access to various shared resources.  

Assign permissions to resources to Domain Local groups, make Global group members of the Domain Local group, and then put your users in the Global groups.  If you want to know who has permission to a particular folder, just find the domain local group assigned to it and see who is a member.

Also you will only want your admins to have Full Control, the highest permission that you will want your mortal users to have is "modify", but I think that you've got that covered.

For instance take the Finance folder:

Remove inheritance from the folder (as previously suggested).

Create a Domain local group called "Finance Full-Control", put your domain admins security group and your "FS Admins" Global security group in it and give that group full control NTFS permissions on that folder.

Create a Domain local group "Finance Modify" and assign modify permissions on that folder to that group.

Create a Global group called "Finance Users" and make that group a member of the "Finance Modify" domain local group.

Put your finance department users into the "Finance Users" group.

Finally, open the Share and Storage Management console and choose your share, choose properties, then advanced properties and choose "Enable access-based enumeration".  That will make it so that only users with access to a particular folder will be able to see it, to everybody else it will appear that it does not exist.

I think that I covered all of the steps and I hope that helps.
0
 

Author Closing Comment

by:bb8176
Comment Utility
This worked for me.
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now